Starting with AIX 7.1, CSM is no
longer supported or available. It has been replaced by Distributed Systems
Managment (DSM).Section 5.2 of the IBM AIX 7.1 Differences Guide Redbook provides
details of the new DSM capabilities.

Fortunately DSM still provides access
to the dsh command.I’ve written about how I’ve used this utility
in the past. The new dsh command (and other tools) are
provided in the new DSM filesets named dsm.core
and dsm.dsh.

These filesets are NOT installed by default. You must
manually install them. They can be found on your AIX 7.1 media.

If dsh is something you use, then I recommend you read the section on
DSM in the Redbook. Also take a look at section 5.2.7 Using DSM and NIM,
in which it describes how you can integrate DSM and NIM and completely automate
the installation of AIX:

“The
AIX Network Installation Manager (NIM) has been enhanced to work with the Distributed
System Management (DSM) commands. This integration enables the automatic
installation of new AIX systems that are either currently powered on or off.”

Although I’ve written about the dsh command before, there’s one usage
I’ve not covered.And that is using dsh to manage users across a group of
LPARs. In particular, changing a user’s password.

Before I go any further, I should
state that for the following to work you must first configure ssh keys on your
NIM master (or central mgmt AIX system) so that you can communicate with all of
your AIX systems via SSH, as root,without being prompted for a password. Read my article on dsh to find out how to do this if
necessary.

In the following example, I use dsh from my NIM master. It is my
central point of control for my AIX environment.

My ssh keys for root on my NIM master
have been generated and distributed to all of my LPARs.

root@nim# ssh-keygen -d

Generating public/private dsa key pair.

Enter file in which to save the key (/.ssh/id_dsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /.ssh/id_dsa.

Your public key has been saved in /.ssh/id_dsa.pub.

The key fingerprint is:

ed:18:e9:00:37:13:7c:7c:74:6a:a9:e0:ad:c0:09:a9
root@nim

The key's randomart image is:

+--[ DSA 1024]----+

|... .. .|

|...o .+|

|o .
=. .+|

| . o = = =|

|E+ o
S .|

|.
+ +|

|.
o .|

||

||

+-----------------+

root@nim# ls -ltra

total 40

-rw-------1 rootsystem214 17 Sep 2010authorized_keys

drwxr-xr-x7 rootsystem4096 16 Nov 11:43 ..

-rw-r--r--1 rootsystem3615 16 Nov 12:04 known_hosts

-rw-r--r--1 rootsystem601 16 Nov 12:06
id_dsa.pub

-rw-------1 rootsystem672 16 Nov 12:06 id_dsa

drwx------2 rootsystem256 16 Nov 12:06 .

On my AIX LPARs, the authorized_keys file has been updated with
the public ssh key from my NIM master:

On the NIM master, the root user was
configured for the DSH environment. The following entry was placed in roots .profile:

root@nim# cat /.profile

ENV=$HOME/.kshrc

The following entry was placed in
roots .kshrc file:

root@nim# cat /.kshrc

export
DSH_NODE_RSH=/usr/bin/ssh

export
DSH_NODE_LIST=/usr/local/etc/nodes

A /usr/local/etc/nodes
file was created on the NIM master. This file contains a list of each of the
nodes that dsh can communicate with
from NIM:

root@nim# cat /usr/local/etc/nodes

aixlpar1

aixlpar2

aixlpar3

aixlpar4

aixlpar5

aixlpar6

aixlpar7

aixlpar8

aixlpar9

aixlpar10

aixlpar11

The first time that the dsh command is run against a new host,
the following message will be displayed. dsh
uses the FQDN, and the FQDN needs to be added to the known_hosts file for ssh. Therefore you must make an ssh connection first with FQDN to the
host:

root@nim# dsh uptime

aixlpar1.cg.com.au
: Host key verification failed.

dsh:2617-009 aixlpar1.cg.com.au remote shell had exit code 255

It is necessary to ssh directly to each node using its
FQDN. This step is only required once for each node. For example:

root@nim# ssh aixlpar1.cg.com.au

The authenticity of host 'aixlpar1.cg.com.au (172.1.6.17)' can't be established.

I set the users password to abc123,
using the chpasswd utility. I also
remove the ADMCHG flag so that the
user is not prompted to change their password on their first logon attempt.

root@nim# dsh 'echo cg:abc123 | chpasswd -c'

I confirm that I can logon with the
new user with the specified password, on one of the AIX LPARs.

root@nim# ssh cg@aixlpar1

cg@aixlpar1’s password:

Last login: Thu Mar1 20:05:01 CST 2012 on /dev/pts/1 from aix71

$
id

uid=204(cg)
gid=1(staff)

Another nice feature of dsh is the dshbak utility. This utility presents formatted output from the dsh command. For example:

root@nim 520 [/.ssh]# dsh errpt | dshbak

HOST:
aixlpar1.cg.com.au

------------------------------------

IDENTIFIER TIMESTAMPT C RESOURCE_NAMEDESCRIPTION

AA8AB2411116110811 T O OPERATOROPERATOR NOTIFICATION

A6DF45AA1104135011 I O RMCdaemonThe
daemon is started.

2BFA76F61104134111 T S SYSPROCSYSTEM SHUTDOWN BY USER

9DBCFDEE1104134111 T O errdemonERROR LOGGING TURNED ON

HOST:
aixlpar2.cg.com.au

-------------------------------

IDENTIFIER TIMESTAMPT C RESOURCE_NAMEDESCRIPTION

DE9A52D11111012611 I S rmt10AAA1

4865FA9B1111012211 P H rmt10TAPE
OPERATION ERROR

DE9A52D11110233511 I S rmt0AAA1

4865FA9B1110225511 P H rmt0TAPE
OPERATION ERROR

DE9A52D11109180311 I S rmt0AAA1

4865FA9B1109180011 P H rmt0TAPE
OPERATION ERROR

DE9A52D11108180411 I S rmt2AAA1

4865FA9B1108180211 P H rmt2TAPE
OPERATION ERROR

DE9A52D11108165711 I S rmt6AAA1

4865FA9B1108165111 P H rmt6TAPE
OPERATION ERROR

A22058611102085311 P S SYSPROCExcessive interrupt disablement time

F7FA22C91031134111 I O SYSJ2UNABLE TO ALLOCATE SPACE IN FILE SYSTEM

DE9A52D11030163411 I S rmt0AAA1

4865FA9B1030163411 P H rmt0TAPE
OPERATION ERROR

....etc....

WARNING: Please be VERY CAREFUL when using the dsh command. Issuing
the wrong command can cause damage to all your AIX LPARS!

The dsm.dsh package contains the following utilities:

# lslpp -f
dsm.dsh | grep /usr/bin

/usr/bin/dcp
-> /opt/ibm/sysmgt/dsm/bin/dcp

/usr/bin/dsh
-> /opt/ibm/sysmgt/dsm/bin/dsh

/usr/bin/dping
-> /opt/ibm/sysmgt/dsm/bin/dping

/usr/bin/dshbak
-> /opt/ibm/sysmgt/dsm/bin/dshbak

If you are a
fan of the dping command, you are
going to be disappointed. Although the command is currently included in the dsm.dsh fileset, it probably won’t be
for much longer.

The command
works, “sort of”:

root@nim#
dping aixlpar1

aixlpar1: ping (alive)

But if you
run ‘dping –a’:

root@nim# dping
-a

dping: 2651-095 CSM license has
expired or has not been accepted. Run csmconfig -L if you have installed a new
release.

According to
the developers, dping is no longer
supported and will eventually be removed from the DSM package. The response
from the developers was as follows:

"The
reason "dping -a" is failing with the license check is because the
command is calling “/usr/bin/runact-api –c IBM.DmsCtrl::::isLicenseValid"
and the license is not set. So the command fails. Since CSM is not
supported anymore and went end of life. "

“...
please consider the dping command as being "deprecated" code pending
removal from the dsm.dsh package.”

When I asked why the command was listed in the AIX 7.1 online
documentation if it was no longer available, I was informed: “We are
in the process of working with component owner regarding the DOCs and updating
them.”. At this
stage I’ve not been able to find an alternative command (in AIX). If I find
one, I’ll update this post.

If you are
planning on migrating to AIX 7.1 please be aware that CSM is no longer
supported or available with AIX 7.1. CSM is now ‘end of life’.